![]() ![]() Oracle's decision presents a mixed bag of outcomes, in one observer's view. ![]() However, "going forward, Oracle WebLogic Server will be the single strategic commercially supported application server from Oracle," the post reiterated. GlassFish Server Open Source Edition continues to be the strategic foundation for Java EE reference implementation going forward." ![]() "Java EE 7 has been released and planning for Java EE 8 has begun. #Usage: $ python poc.py #E.g: $ python poc.py 192.168.0."Oracle is committed to the future of Java EE," it states. ![]() ORACLE GLASSFISH CODELog Viewer: Information about the Java Virtual Machine installed on the server: Installed components: Properties of an existing JDBC connection pool, including DB password: The following Python code is a Proof-of-Concept of the vulnerability it will retrieve the content of the Log Viewer effectively bypassing the authentication: The vulnerability described above allows attackers to access the content of the following pages without being authenticated: ORACLE GLASSFISH FULLIt is important to note that the response of GlassFish Server to a TRACE request includes the full content of the requested resource in the response body, as in a GET request according to RFC 2616 (Hypertext Transfer Protocol - HTTP/1.1), section 9.8, the response SHOULD reflect the original request to the client in the response body. This can be configured from the Network Config > Protocols > admin-listener > HTTP tab.īy performing HTTP requests against the GlassFish Administration Console using the TRACE method, a remote, unauthenticated attacker can get access to the content of restricted pages in the Administration Console, because GlassFish Server will behave as if it were handling GET requests from authenticated users. This administrative server, which is accessed by the Administration Console, has the HTTP TRACE verb enabled by default. By default, when GlassFish Server starts, it runs an HTTP listener named admin-listener, associated with the _asadmin virtual server. It provides a small footprint, fully featured Java EE application server that is completely supported for commercial deployment and is available as a standalone offering. Technical Description / Proof of Concept Codeīuilt using the GlassFish Server Open Source Edition, Oracle GlassFish Server delivers a flexible, lightweight and extensible Java EE 6 platform. This vulnerability was discovered and researched by Francisco Falcon from Core Security Technologies.Ĩ. There is a checkbox "Trace: Enable TRACE operation" (checked by default) uncheck it and then save changes.įinally, restart GlassFish by doing C:\glassfishv3\bin>asadmin restart-domainĪfter following these steps, when executing the PoC included in this advisory, the webserver should respond:Ĥ05 TRACE method is not allowed headers = Navigate through: Network Config > Protocols > admin-listener > HTTP. In the GlassFish Admin Console, go to the Tasks tree. ORACLE GLASSFISH UPGRADEAs a policy, Oracle does not provide workarounds unless they can be easily applied by every customer.įor users who cannot upgrade to the latest patched version, the following workaround can be applied in order to avoid this flaw: Oracle also notifies that patches for previous versions will be available in July, 2011. Oracle notifies that GlassFish Server 3.1 was released in March 2011 and was fixed before release, so it is not affected. Vendor Information, Solutions and Workarounds This vulnerability can be exploited by remote attackers to access sensitive data on the server without being authenticated, by making TRACE requests against the Administration Console.Ĭontact Oracle for patches for other GlassFish versionsĦ. The Administration Console of Oracle GlassFish Server, which is listening by default on port 4848/TCP, is prone to an authentication bypass vulnerability. Title: Oracle GlassFish Server Administration Console Authentication BypassĬlass: Authentication Bypass Issues īuilt using the GlassFish Server Open Source Edition, Oracle GlassFish Server delivers a flexible, lightweight and extensible Java EE 6 platform. Oracle GlassFish Server Administration Console Authentication Bypass ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |